Reposting here from #CAHSN3LDN, as this may be the more proper channel: Hey folks! We're looking at setting up some dependency [signature] verification for our repo (per dependency verification), but it doesn't look like signature verification accounts for subkeys? For example, if we want to trust all the public subkeys for

eb4c1bfd4f042f6dddccec917721f63bd38b4796

on the ubuntu keyserver, we'd have to manually add a

<trusted-key>

entry per subkey. I can see the value in doing this, since subkeys are usually rotated- but from a consumer standpoint, this seems verbose. I guess a better question would be, is there a way to have gradle automatically add subkeys of a trusted key to the metadata xml file? I understand you can run

./gradlew --write-verification-metadata pgp,sha256

to automatically populate the metadata, but that can potentially introduce excessive positives for untrusted artifacts. Ideally, we want to automatically update the metadata file, but only for updating trusted keys per remote key servers. Am I missing some feature or misunderstanding something about the process here?